Characterization of collective Gaussian attacks and security of coherent-state 

quantum cryptography 
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We provide a simple description of the most general collective Gaussian attack in continuous 
variable quantum cryptography. In the scenario of such general attacks, we analyze the asymptotic 
secret-key rates which are achievable with coherent states, joint measurements of the quadratures 
and one-way classical communication. 
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During recent years, quantum systems with infinite di- 
mensional Hilbert spaces have become the object of in- 
creasing interest within the quantum information com- 
munity These systems are generally called contin- 
uous variable systems and their standard prototype is 
given by the bosonic modes of the radiation field. In 
ordinary experiments in quantum optics, bosonic modes 
are generated in states with Gaussian statistics and 
these statistics are commonly preserved during subse- 
quent optical manipulation. Further, the Gaussian statis- 
tics can be preserved at the end of quantum communi- 
cation lines (e.g., optical fibers), where noisy transfor- 
mations of the state are induced by the interaction with 
an external environment. From a theoretical point of 
view, the standard model for this kind of transformation 
is represented by the one-mode Gaussian channel. This is 
a completely positive trace-preserving (CPT) map that 
transforms Gaussian states into Gaussian states, with- 
out creating any kind of correlation among the various 
bosonic modes. The mathematical structure of this map 
is relatively simple and has been further simplified in 
Ref. Q via the introduction of canonical forms. 

In the context of continuous variable quantum key dis- 
tribution (cvQKD), one-mode Gaussian channels can be 
interpreted as the effect of collective Gaussian attacks. 
Starting from this consideration, here we extend the re- 
sults of Refs. [3) 0| to provide a full characterization of 
the most general collective Gaussian attack in cvQKD. 
Recall that collective Gaussian attacks have been recog- 
nized as the most powerful collective attacks in cvQKD 
with Gaussian resources 0]. Furthermore, under suit- 
able conditions J], collective attacks have been recently 
proven to bound the most general attacks (coherent at- 
tacks) against cvQKD protocols. Using our general char- 
acterization of collective Gaussian attacks, we then an- 
alyze the security of a cvQKD protocol, where coherent 
states are used to generate secret correlations. Such a 
protocol is a sirnple generalization of the non-switching 
protocol of Ref. [7| , where further post-processing of the 
classical data is also used to compensate possible squeez- 



ing and rotation of the output quadratures. 

Let us consider a single bosonic mode, whose quadra- 
tures x"^ := {q,p) satisfy [x, x"^] = 2ir2, where the matrix 
O is defined by the entries fJn = — and — 
— Jl2i = 1- Every Gaussian state p 2j| of the system is 
characterized by a displacement vector x :— Tr(xp) and 
a covariance matrix V := Tr{[xx"^ + (xx"^) ]p}/2 — Scx-^. 
In a quantum communication scenario, this kind of state 
can be used by a sender (Alice) to transmit classical in- 
formation to a receiver (Bob) through a noisy quantum 
channel. Usually, Alice chooses p(x, V) from an ensem- 
ble of signal states A := {p(x), p(x, V)} encoding a clas- 
sical variable X := {p(x),x}. This variable describes 
the modulation of the displacement x via some proba- 
bility distribution p(x). The signal states are then sent 
to Bob, in independent uses of the quantum channel. At 
the output. Bob gets a noisy ensemble B, whose (inco- 
herent) detection gives a classical variable Y which is 
correlated to X (see Fig. [l] step 1). In this scenario, 
the standard model for the noise process is represented 
by the one-mode Gaussian channel. By definition, this 
channel is a CPT map Q acting on a single bosonic mode 
and preserving the Gaussian statistics of the input state. 
The mathematical description of this channel is fully con- 
tained in a triplet {T, N, d}, where d is an vector and 
T, N are 2x2 real matrices [sj. Explicitly, the action of 
tJ(T,N,d) on a Gaussian state p(x,V) corresponds to 
the simple transformations 



Tx + d , V ^ TVT' 



N 



(1) 



In particular, for N = and T := S symplectic (i.e., 
SJIS"^ — r2), the channel represents a Gaussian unitary. 
This means that we can set t/(S,0,d) :— U{S,d) where 
U : p ^ UpU^ with U a unitary operator. 

Remarkably, the mathematical structure of G{T, N, d) 
can be further simplified thanks to recent results of 
Ref. [3|. In fact, every C/(T,N,d) can be decomposed as 
G = Ub oC oUa, where {UaMb} are Gaussian unitaries, 
while the map C, called the canonical form, represents a 
Gaussian channel with d = and Tc,Nc diagonal. The 
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explicit expressions of Tc and Nc depend on three sym- 
plectic invariants of the channeh the generahzed trans- 
mission T := dot T (ranging from — cx3 to +00), the rank 
r ■= [rk(T)rk(N)]/2 (with possible values r = 0, 1, 2) and 
the temperature n (which is a positive number related to 
detN !9!]). These three invariants {r, r, n} completely 
characterize the two matrices Tc,Nc and, therefore, the 
corresponding canonical form C = C{T,r,n). In particu- 
lar, the first two invariants {r, r} determine the class of 
the form Q . The full classification is explicitly shown in 
the following table 
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In this table, the values of {r, r} in the first two columns 
specify a particular class Ai, A2, Bi, B2,C and D [lo| . 
Within each class, the possible canonical forms are ex- 
pressed in the third column, where also the third invari- 
ant n must be considered. The corresponding expres- 
sions of Tc, Nc are shown in the last two columns, where 
Z :— diag(l, —1), I := diag(l, 1) and is the zero matrix. 

Thus, an arbitrary one- mode Gaussian channel 
t/(T, N, d) can be expressed by a unique canonical form 
C(t, r, h) up to a pair of input-output Gaussian unitaries 
{Uat^b}- Now, it is known that every quantum chan- 
nel can be represented by a unitary interaction coupling 
the signal system to an environment, prepared in some 
initial state pE- When pE is pure, such a dilation is 
called a "Stinespring dilation" and is unique up to par- 
tial isometrics [lH . By extending the results of Ref. [1] , 
we easily construct the Stinespring dilations of all the 
canonical forms. In detail, a generic C(r, r, n) can be 
dilated to a three-mode Gaussian unitary corresponding 
to a symplectic transformation L = L(t, r) [13|. This 
transformation mixes the input state pA with a two- 



mode squeezed vacuum (TMSV) state 



of variance 



w — 2fi~\-l (see Fig.[Tl step 2). Compactly, we denote by 
{L(t, r), {w)} the Stinespring dilation of a generic canon- 
ical form C(t, r, n). For particular choices of the class 
{r, r}, this dilation corresponds to well-known Gaussian 
models of interaction. In particular, for {r, r| = {1, 2}, it 
corresponds to a universal Gaussian doner [l3| , while for 
< r < 1 and r = 2, it describes an entangling doner 
1J|, i.e., a beam-splitter of transmission r mixing the 
signal with one mode of the TMSV state \w). 

Thus, every one-mode Gaussian channel t/(T,N,d) 
can be uniquely represented by the Stinespring dilation 



{L(r, r), \w)}, up to Gaussian unitaries {UaMb} on the 
channel and isometrics on the environment E. By assum- 
ing an environment which is bounded in Euclidean space 
(i.e., a finite box), the total set of environmental modes 
is countable. In such a case, the action of an isometry on 
E is equivalent to a unitary Ue involving the two out- 
put ancillas E and all the remaining ancillas e = {ei}^i 
of the environment (prepared in the vacuum state). In 
other words, C/(T,N,d) can be represented by the max- 
imal Stinespring dilation {L(t, r) Ig, |w) (g) |0)g}, up to 
Gaussian unitaries {Ua-,^b} on the channel and unitaries 
Ue on the environment {E, e} (see Fig. [U step 3) ,15| . 

Environment (Eve) 




Bob 



FIG. 1: The general scenario in five steps. (1) Quantum 
communication. Alice randomly picks signal states p from 
an ensemble A encoding a classical variable X. At the out- 
put of the channel. Bob detects the states via a quantum 
measurement. The corresponding outcomes define an output 
classical variable Y correlated to X. (2) One-mode Gaus- 
sian channel. A one-mode Gaussian channel Q corresponds 
to a canonical form C up to a pair of Gaussian unitaries Ua 
(at the input) and Ub (at the output). The central canonical 
form C can be dilated to a symplectic interaction L involv- 
ing two ancillary modes E := {Ei, E2} prepared in a TMSV 
state |w)g;. The dilation of the form is unique up to isome- 
trics acting on E := {Ei,E2}- (3) Maximal dilation. By 
assuming Eve is in a finite box, the dilation can be extended 
(via an identity) to the remaining modes e — {ei}°Zi of the 
environment (prepared in vacua). This maximal dilation of C 
is now unique up to unitaries Ue acting on {E, e}. (4) Col- 
lective Gaussian attack. All the output ancillas {E, e} 
provide an ensemble £, which Eve can detect to estimate X 
or Y. By using an entropic bound for Eve's accessible in- 
formation, the extra ancillas and the extra unitary (dashed 
boxes in the figure) can be neglected. As a consequence, only 
the set G := {L{T,r),\w) ,Ua,1^b} (solid boxes in the fig- 
ure) is needed to characterize the attack. (5) Coherent- 
state protocol. Alice's signal states p are coherent states 
I a) whose amplitudes encode a Gaussian variable {X = a). 
Bob's measurement is a heterodyne detection retrieving the 
output amplitudes {Y — P). 

Let us now consider the standard cryptographic sce- 
nario, where the whole environment is under control of a 
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malicious eavesdropper (Eve). For each signal state, Eve 
can store the corresponding output ancillas {E,e} in a 
quantum memory, detectable by a coherent measurement 
Me any time of the quantum communication. For in- 
finite uses of the channel, the output ancillas {E, e} will 
provide an output ensemble of states £. Such an ensem- 
ble can be expressed in terms of Alice's variable X or 
Bob's variable Y. In other words, there always exist two 
coherent measurements, Me{X) and A4e{Y), which are 
optimal in the estimation of X and Y , respectively. This 
scenario represents the most general description for a col- 
lective Gaussian attack. Luckily, this description can be 
greatly simplified if we adopt a suitable "entropic bound" 
to restrict Eve's accessible information on her output en- 
semble £. This bound can be provided by the Holevo in- 
formation, but also by the quantum mutual information 
or, more generally, by the von Neumann entropy. On the 
one hand, this bound enables us to ignore the details of 
the quantum measurement Me- On the other, since the 
bound is unitarily invariant, the environmental unitary 
Ue and the extra ancillas "e" can be also neglected. As 
a consequence, the attack's description can be reduced 
to the set G := {'L{T,r),\w) ,Ua,1^b}, where {T,r,w} 
are the channel symplectic invariants and {UaMb} the 
input-output Gaussian unitaries (see Fig. [Tl step 4). In 
particular, the Gaussian unitaries {UaMb} are equiva- 
lent to a pair of displacements {d^,dB} and a pair of 
symplectic matrices {M^i, M^}. These matrices may be 
written as M^i = (ai,a2)"^ and — (bi,b2), where 
{ai, a2, bi, are column-vectors. The scalar prod- 
ucts of these vectors define three important parameters 
which contain the basic information about 
the non-invariant action of the attack. Explicitly, these 
parameters are 9 



|a2|'|b2|' 



|ai|'|bi|' + 2(ai • a2)(bi • bs) + 
lail' + |a2|' and 9b := Ibj' + |b2|' 



Using the Euler decomposition of the symplectic ma- 
trices, we can prove the lower bounds [l6| 



>2 , 9a>2 , 9b>2 



(2) 



Notice that we may call "canonical" the attacks of the 
form C := {L(t, r), where X is the ideal 

channel (i.e., the identity map). For this kind of attack it 
is easy to prove the minimal condition 9 = 9a = 9b = 2. 

Let us now analyze the security of a cvQKD proto- 
col, which is a direct generalization of the non-switching 
protocol of Ref. (3]. In this protocol, Alice prepares a 
coherent state \a) whose complex amplitude a is ran- 
domly modulated by a Gaussian distribution with zero 
mean and variance /i. Then, Alice sends \a) to Bob, who 
decodes a conditional amplitude (3\a by heterodyne de- 
tection. Such a process is repeated many times, with 
Bob getting an output random amplitude (5 (see Fig. [U 
step 5). At the end of the quantum communication, part 
of the data {a, (3} is publicly disclosed by Alice and Bob. 
This step allows them to realize quantum tomography of 



the Gaussian channel ^(T, N, d), which completely dis- 
closes T, N and d. In fact, from the analysis of the first 
and second statistical moments, they can fully retrieve 
the two transformations of Eq. ([T]) . Thanks to this infor- 
mation, Bob is able to process his classical data (3 in order 
to make an optimal estimation of Alice's signal a. Such 
a classical post-processing is equivalent to inverting the 
displacement transformation in Eq. ([T]), which generally 
involves squeezing and rotation of the two quadratures. 
Alternatively, Alice can exploit Eq. ([T]) to process her 
data a and estimate Bob's variable (3. The first situation 
corresponds to direct reconciliation, where a is the refer- 
ence variable, decoded by Bob with the help of one-way 
classical communication (CC) from Alice. By contrast, 
the second situation corresponds to reverse reconciliation 
14| . where (3 is the reference variable, decoded by Alice 
with the help of one-way CC from Bob. In both cases, the 
classical mutual information of Alice and Bob is given by 
/(a : (3) = H{f3) - H{f3\a), where iJ(- • • ) is the Shannon 
entropy for bivariate Gaussian variables [13]. 

The Gaussian channel C/(T, N, d) between the users 
is the effect of a collective Gaussian attack. Bounding 
Eve with the Holevo information, this attack can be fully 
characterized by the set G :— {L(t, r), \ w) ,UaMb}- In 
this description, the Holevo information 1(7 : E) of Eve 
on the reference variable ^ = a, (3 can be computed 
from the restricted set of ancillas E (see Fig. [T]). The 
secret-key rate R of the protocol is then equal to i? = 
max{0,i?(a),i?(/3)}, where i?(7) := /(a : (3) - 1(7 : E) 
is the rate with respect to Alice's variable ^ — a (direct 
reconciliation) or Bob's variable ^ — (3 (reverse reconcil- 
iation). Let us consider the asymptotic secret-key rate 
Roo lim^ R that can be reached in the limit of high 
modulation (/j, -|-oo). Here, we consider all the val- 
ues of the transmission r with the exception of r = 1. 
The asymptotic rate Roo can be easily proven to be zero 
for every r < [l6| . By contrast, in the positive re- 
gion < T 7^ 1, the explicit formula of i?oo is extremely 
hard to compute. For this reason, we provide a lower 
bound Boo < ^^oo which has the non-trivial advantage of 
further simplifying the description of the attack. There- 
fore, we only consider the positive range < t 7^ 1 in 
the remainder of the paper. It is easy to prove that the 
mutual information of Alice and Bob has the asymptotic 
expression lim^ I{a : j3) = \og{fi/ri), where 



J] := -[1 + + (1 - r)W +t6' + |1 -t|u;(t6 

T 



The latter quantity 77 represents the total noise affecting 
the quantum communication. It depends on the two in- 
variants {r, w} plus the three non-invariant parameters 
{9,9aj9b} coming from {UajI^b}- Let us now bound 
the Holevo information 1(7 : E) of Eve. In direct rec- 
onciliation, I{a : E) can be bounded using the condition 
9a>2 [31, while, in reverse reconciliation, I{j3 : E) can 
be bounded by the quantum mutual information. As a 
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consequence, we get the following bound on the secret- 
key rate i?oo > Boo ■= max{0, Boo{a), Boo{P)}, where 

Boo{a)^log(—-^——)~g{w)+g{T+\l-T\w) , 
\e\l-T\T]J 

(3) 

and 

BooiP) = log (—^—-) _ , (4) 

with5(a;) := [(x-f l)/2] log[(x + l)/2] - [(x- 1)/2] log[(x- 
l)/2]. Notice that these asymptotic rates depend only on 
the three parameters {T,w,r]}. In other words, the sig- 
nificant information about the Gaussian attack G is fully 
contained in the triplet {t, w, 77} , where r and w are sym- 
plectic invariants of the channel, while 77 includes the non- 
invariant effect of the input-ouput unitaries {UajI^b}- 
Such a triplet is completely known to the honest users 
thanks to the tomography of the channel and, therefore, 
the corresponding value of Boo can be easily derived. 

It is now interesting to analyze the performances of the 
canonical attacks in terms of the asymptotic rate -Boo. 
It is easy to show that, for fixed invariants r and w, 
canonical attacks are the less perturbative and less pow- 
erful attacks. In fact, for a canonical attack, we have 
9 = 9a = 0B = '^i so that the total noise rj takes the 
minimum value 

1 |1-t| , , 

7? = 1 H 1 w rjcij, w) . (5) 

r T 

Then, since Boo is monotonic in rj [according to Eqs. ([3]) 
and Q], the minimization of rj is equivalent to the max- 
imization of Boo (for fixed r and w). By contrast, 
we can easily prove that the canonical attacks are the 
most powerful Gaussian attacks for fixed transmission 
T and total noise rj. In other words, for every Gaus- 
sian attack, with triplet {r, w, 77}, there always exists a 
canonical attack, with triplet {r, w' > w,??}, such that 
Boo{t, w' ,r]) < Boo{t, w, rj). The proof is very easy. The 
noise rj of an arbitrary Gaussian attack G with {r, w, 77} 
is minimized by the noise 77c (t, w) of a canonical attack C 
with {T,w,ri(,{T,w)} . Now, let us increase w while keep- 
ing T fixed in {r, 77c(t, w)}. From Eq. (O, we see that 
77c(t, w) increases in w and, therefore, we can choose a 
value w' > w such that ric{T,w') — rj. Then, we get a 
new canonical attack C" with triplet {r, w' ,rf\. But now, 
also the two quantities g{w) and g{w) — g{T -f |1 — t\'w) 
are increasing in w. Therefore, for fixed r and 7;, the con- 
dition w' > w minimizes the rates of Eqs. ([3|) and ([4|. 
which concludes the proof. By combining the previous 
results on the asymptotic rate _Boo(t, w, 77), we deduce 
that canonical attacks can be seen as extremal Gaussian 
attacks, since they provide upper bounds for fixed {r, w} 
and lower bounds for fixed {r, 77}. 

In conclusion, we have given a simple and compact 
description of a completely general collective Gaussian 



attack. Using such a characterization, we have derived 
the asymptotic secret-key rates that are reachable by a 
protocol using coherent states, joint measurements of the 
quadratures, and one-way classical communications. In 
particular, the secret-key rates can be bounded by rela- 
tively simple quantities depending on three channel pa- 
rameters only. In terms of these bounds, a particular 
class of attacks (canonical attacks) can be considered as 
extremal. Finally, this work paves the way for completely 
general security analyses of cvQKD protocols, where ex- 
plicit derivations of secret-key rates can be made without 
any assumptions on the eavesdropper's interaction. 
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